My talk at European Drupal Days 2015 in Milan, Italy.
Drupalgeddon was the single biggest Drupal security vulnerability to date. But it isn’t the only one, as there has been a lot more vulnerabilities with less publicity. In this talk I will explain what happened with Drupalgeddon and how to prepare in future for similar situations. Also we will look at some best practices for securing your Drupal website.
Drupal Security: How to survive Drupalgeddon and prepare for future
1. DRUPAL SECURITY
HOW TO SURVIVE DRUPAGEDDON AND
PREPARE FOR FUTURE
Created by Kristian Polso / @kristian_polso
2. ABOUT ME
Kristian Polso
CTO at Vaiste Productions
Been working with Drupal since version 5
Earlier PHP background
@kristian_polso
3. ABOUT VAISTE PRODUCTIONS
Drupal solutions company
Based in Turku, Finland
Focus on more customized Drupal
solutions & integrations
http://vaiste.com / @vaisteprod
4. PURPOSE OF THIS PRESENTATION
What was Drupageddon and what happened
How to prepare for similar vulnerabilities
Best practices
5. WHAT WAS DRUPAGEDDON?
A vulnerability found in Drupal 7's database abstraction API
Drupal Security Team was informed of it in September 2014
Update released on October 15 2014 (Drupal 7.32)
Biggest vulnerability in Drupal's history
Name given by twitter (#drupageddon)
6. HOW DID DRUPAGEDDON WORK?
// includes/database/database.inc
foreach (array_filter($args, 'is_array') as $key => $data) {
foreach ($data as $i => $value) {
$args are GET parameters from the user
$i are supposed to be keys, as in integers
SUPPOSED to be...
13. THE AFTERMATH
BBC: "Up to 12 million websites may have been
compromised"
Some hosting partners were really quick to patch
Drupal Security Team was super useful
14. CRAWLING THE TOP 15,000 DRUPAL
WEBSITES
goo.gl/NPr20o (polso.info)
Done in November 2014
15. IF YOU GOT HACKED
Recover from backups
drupal.org/project/drupalgeddon
16. HOW TO BE SAFE FROM SECURITY
VULNERABILITIES
Keep Drupal core & modules updated
Use managed hosting platforms (Acquia, Platform.sh,
Pantheon)
Writing secure code (drupal.org/writing-secure-code)